Hay
Sign in
Date
July 15, 2025, 11:35 a.m.

Environment
e850-96
qemu-arm64
qemu-x86_64 

[   53.565724] ==================================================================
[   53.565908] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x314/0x340
[   53.572425] Read of size 1 at addr ffff000801af8400 by task kunit_try_catch/308
[   53.579716] 
[   53.581204] CPU: 3 UID: 0 PID: 308 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc6-next-20250715 #1 PREEMPT 
[   53.581262] Tainted: [B]=BAD_PAGE, [N]=TEST
[   53.581281] Hardware name: WinLink E850-96 board (DT)
[   53.581308] Call trace:
[   53.581322]  show_stack+0x20/0x38 (C)
[   53.581358]  dump_stack_lvl+0x8c/0xd0
[   53.581394]  print_report+0x118/0x5d0
[   53.581424]  kasan_report+0xdc/0x128
[   53.581453]  __asan_report_load1_noabort+0x20/0x30
[   53.581485]  mempool_uaf_helper+0x314/0x340
[   53.581516]  mempool_kmalloc_uaf+0xc4/0x120
[   53.581548]  kunit_try_run_case+0x170/0x3f0
[   53.581579]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   53.581615]  kthread+0x328/0x630
[   53.581644]  ret_from_fork+0x10/0x20
[   53.581679] 
[   53.649421] Allocated by task 308:
[   53.652805]  kasan_save_stack+0x3c/0x68
[   53.656623]  kasan_save_track+0x20/0x40
[   53.660443]  kasan_save_alloc_info+0x40/0x58
[   53.664696]  __kasan_mempool_unpoison_object+0x11c/0x180
[   53.669991]  remove_element+0x130/0x1f8
[   53.673810]  mempool_alloc_preallocated+0x58/0xc0
[   53.678498]  mempool_uaf_helper+0xa4/0x340
[   53.682578]  mempool_kmalloc_uaf+0xc4/0x120
[   53.686744]  kunit_try_run_case+0x170/0x3f0
[   53.690911]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   53.696380]  kthread+0x328/0x630
[   53.699591]  ret_from_fork+0x10/0x20
[   53.703150] 
[   53.704627] Freed by task 308:
[   53.707666]  kasan_save_stack+0x3c/0x68
[   53.711484]  kasan_save_track+0x20/0x40
[   53.715303]  kasan_save_free_info+0x4c/0x78
[   53.719470]  __kasan_mempool_poison_object+0xc0/0x150
[   53.724504]  mempool_free+0x28c/0x328
[   53.728150]  mempool_uaf_helper+0x104/0x340
[   53.732316]  mempool_kmalloc_uaf+0xc4/0x120
[   53.736483]  kunit_try_run_case+0x170/0x3f0
[   53.740650]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   53.746119]  kthread+0x328/0x630
[   53.749332]  ret_from_fork+0x10/0x20
[   53.752889] 
[   53.754368] The buggy address belongs to the object at ffff000801af8400
[   53.754368]  which belongs to the cache kmalloc-128 of size 128
[   53.766867] The buggy address is located 0 bytes inside of
[   53.766867]  freed 128-byte region [ffff000801af8400, ffff000801af8480)
[   53.778930] 
[   53.780410] The buggy address belongs to the physical page:
[   53.785967] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x881af8
[   53.793950] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[   53.801589] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff)
[   53.808532] page_type: f5(slab)
[   53.811669] raw: 0bfffe0000000040 ffff000800002a00 dead000000000122 0000000000000000
[   53.819388] raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000
[   53.827116] head: 0bfffe0000000040 ffff000800002a00 dead000000000122 0000000000000000
[   53.834926] head: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000
[   53.842739] head: 0bfffe0000000001 fffffdffe006be01 00000000ffffffff 00000000ffffffff
[   53.850551] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002
[   53.858357] page dumped because: kasan: bad access detected
[   53.863911] 
[   53.865387] Memory state around the buggy address:
[   53.870169]  ffff000801af8300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   53.877372]  ffff000801af8380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   53.884575] >ffff000801af8400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   53.891776]                    ^
[   53.894991]  ffff000801af8480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   53.902196]  ffff000801af8500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   53.909399] ==================================================================
[   54.150847] ==================================================================
[   54.160182] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x314/0x340
[   54.167295] Read of size 1 at addr ffff0008048cd240 by task kunit_try_catch/312
[   54.174584] 
[   54.176071] CPU: 2 UID: 0 PID: 312 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc6-next-20250715 #1 PREEMPT 
[   54.176126] Tainted: [B]=BAD_PAGE, [N]=TEST
[   54.176143] Hardware name: WinLink E850-96 board (DT)
[   54.176166] Call trace:
[   54.176181]  show_stack+0x20/0x38 (C)
[   54.176215]  dump_stack_lvl+0x8c/0xd0
[   54.176251]  print_report+0x118/0x5d0
[   54.176279]  kasan_report+0xdc/0x128
[   54.176304]  __asan_report_load1_noabort+0x20/0x30
[   54.176340]  mempool_uaf_helper+0x314/0x340
[   54.176373]  mempool_slab_uaf+0xc0/0x118
[   54.176407]  kunit_try_run_case+0x170/0x3f0
[   54.176440]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   54.176474]  kthread+0x328/0x630
[   54.176504]  ret_from_fork+0x10/0x20
[   54.176542] 
[   54.244030] Allocated by task 312:
[   54.247417]  kasan_save_stack+0x3c/0x68
[   54.251233]  kasan_save_track+0x20/0x40
[   54.255052]  kasan_save_alloc_info+0x40/0x58
[   54.259305]  __kasan_mempool_unpoison_object+0xbc/0x180
[   54.264513]  remove_element+0x16c/0x1f8
[   54.268334]  mempool_alloc_preallocated+0x58/0xc0
[   54.273020]  mempool_uaf_helper+0xa4/0x340
[   54.277100]  mempool_slab_uaf+0xc0/0x118
[   54.281006]  kunit_try_run_case+0x170/0x3f0
[   54.285173]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   54.290642]  kthread+0x328/0x630
[   54.293853]  ret_from_fork+0x10/0x20
[   54.297412] 
[   54.298889] Freed by task 312:
[   54.301927]  kasan_save_stack+0x3c/0x68
[   54.305746]  kasan_save_track+0x20/0x40
[   54.309565]  kasan_save_free_info+0x4c/0x78
[   54.313731]  __kasan_mempool_poison_object+0xc0/0x150
[   54.318766]  mempool_free+0x28c/0x328
[   54.322412]  mempool_uaf_helper+0x104/0x340
[   54.326579]  mempool_slab_uaf+0xc0/0x118
[   54.330484]  kunit_try_run_case+0x170/0x3f0
[   54.334651]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   54.340120]  kthread+0x328/0x630
[   54.343332]  ret_from_fork+0x10/0x20
[   54.346891] 
[   54.348368] The buggy address belongs to the object at ffff0008048cd240
[   54.348368]  which belongs to the cache test_cache of size 123
[   54.360781] The buggy address is located 0 bytes inside of
[   54.360781]  freed 123-byte region [ffff0008048cd240, ffff0008048cd2bb)
[   54.372845] 
[   54.374324] The buggy address belongs to the physical page:
[   54.379881] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x8848cd
[   54.387865] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   54.394374] page_type: f5(slab)
[   54.397511] raw: 0bfffe0000000000 ffff00080188e640 dead000000000122 0000000000000000
[   54.405230] raw: 0000000000000000 0000000080150015 00000000f5000000 0000000000000000
[   54.412950] page dumped because: kasan: bad access detected
[   54.418504] 
[   54.419979] Memory state around the buggy address:
[   54.424761]  ffff0008048cd100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   54.431964]  ffff0008048cd180: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   54.439167] >ffff0008048cd200: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[   54.446368]                                            ^
[   54.451667]  ffff0008048cd280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   54.458872]  ffff0008048cd300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   54.466074] ==================================================================
Metadata Full log Test run details 

[   32.669263] ==================================================================
[   32.669487] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x314/0x340
[   32.669649] Read of size 1 at addr fff00000c64c4240 by task kunit_try_catch/263
[   32.669699] 
[   32.669858] CPU: 1 UID: 0 PID: 263 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc6-next-20250715 #1 PREEMPT 
[   32.669994] Tainted: [B]=BAD_PAGE, [N]=TEST
[   32.670053] Hardware name: linux,dummy-virt (DT)
[   32.670169] Call trace:
[   32.670252]  show_stack+0x20/0x38 (C)
[   32.670365]  dump_stack_lvl+0x8c/0xd0
[   32.670561]  print_report+0x118/0x5d0
[   32.670607]  kasan_report+0xdc/0x128
[   32.670657]  __asan_report_load1_noabort+0x20/0x30
[   32.670964]  mempool_uaf_helper+0x314/0x340
[   32.671032]  mempool_slab_uaf+0xc0/0x118
[   32.671363]  kunit_try_run_case+0x170/0x3f0
[   32.671579]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   32.671749]  kthread+0x328/0x630
[   32.671821]  ret_from_fork+0x10/0x20
[   32.671879] 
[   32.671963] Allocated by task 263:
[   32.672016]  kasan_save_stack+0x3c/0x68
[   32.672077]  kasan_save_track+0x20/0x40
[   32.672118]  kasan_save_alloc_info+0x40/0x58
[   32.672157]  __kasan_mempool_unpoison_object+0xbc/0x180
[   32.672199]  remove_element+0x16c/0x1f8
[   32.672277]  mempool_alloc_preallocated+0x58/0xc0
[   32.672351]  mempool_uaf_helper+0xa4/0x340
[   32.672512]  mempool_slab_uaf+0xc0/0x118
[   32.672554]  kunit_try_run_case+0x170/0x3f0
[   32.672596]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   32.672693]  kthread+0x328/0x630
[   32.672798]  ret_from_fork+0x10/0x20
[   32.672880] 
[   32.672946] Freed by task 263:
[   32.673018]  kasan_save_stack+0x3c/0x68
[   32.673058]  kasan_save_track+0x20/0x40
[   32.673099]  kasan_save_free_info+0x4c/0x78
[   32.673138]  __kasan_mempool_poison_object+0xc0/0x150
[   32.673267]  mempool_free+0x28c/0x328
[   32.673305]  mempool_uaf_helper+0x104/0x340
[   32.673342]  mempool_slab_uaf+0xc0/0x118
[   32.673380]  kunit_try_run_case+0x170/0x3f0
[   32.673429]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   32.673482]  kthread+0x328/0x630
[   32.673514]  ret_from_fork+0x10/0x20
[   32.673974] 
[   32.674006] The buggy address belongs to the object at fff00000c64c4240
[   32.674006]  which belongs to the cache test_cache of size 123
[   32.674080] The buggy address is located 0 bytes inside of
[   32.674080]  freed 123-byte region [fff00000c64c4240, fff00000c64c42bb)
[   32.674292] 
[   32.674383] The buggy address belongs to the physical page:
[   32.674416] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1064c4
[   32.674482] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   32.674534] page_type: f5(slab)
[   32.674578] raw: 0bfffe0000000000 fff00000c650c140 dead000000000122 0000000000000000
[   32.674626] raw: 0000000000000000 0000000080150015 00000000f5000000 0000000000000000
[   32.674666] page dumped because: kasan: bad access detected
[   32.674697] 
[   32.674714] Memory state around the buggy address:
[   32.674748]  fff00000c64c4100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   32.674991]  fff00000c64c4180: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   32.675047] >fff00000c64c4200: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[   32.675477]                                            ^
[   32.675657]  fff00000c64c4280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   32.675701]  fff00000c64c4300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   32.675739] ==================================================================
[   32.633815] ==================================================================
[   32.633907] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x314/0x340
[   32.633976] Read of size 1 at addr fff00000c9147a00 by task kunit_try_catch/259
[   32.634025] 
[   32.634066] CPU: 1 UID: 0 PID: 259 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc6-next-20250715 #1 PREEMPT 
[   32.634154] Tainted: [B]=BAD_PAGE, [N]=TEST
[   32.634549] Hardware name: linux,dummy-virt (DT)
[   32.634676] Call trace:
[   32.634703]  show_stack+0x20/0x38 (C)
[   32.634757]  dump_stack_lvl+0x8c/0xd0
[   32.635096]  print_report+0x118/0x5d0
[   32.635249]  kasan_report+0xdc/0x128
[   32.635294]  __asan_report_load1_noabort+0x20/0x30
[   32.635345]  mempool_uaf_helper+0x314/0x340
[   32.635471]  mempool_kmalloc_uaf+0xc4/0x120
[   32.635518]  kunit_try_run_case+0x170/0x3f0
[   32.635570]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   32.635642]  kthread+0x328/0x630
[   32.635693]  ret_from_fork+0x10/0x20
[   32.635874] 
[   32.635893] Allocated by task 259:
[   32.635929]  kasan_save_stack+0x3c/0x68
[   32.635986]  kasan_save_track+0x20/0x40
[   32.636167]  kasan_save_alloc_info+0x40/0x58
[   32.636255]  __kasan_mempool_unpoison_object+0x11c/0x180
[   32.636298]  remove_element+0x130/0x1f8
[   32.636336]  mempool_alloc_preallocated+0x58/0xc0
[   32.636383]  mempool_uaf_helper+0xa4/0x340
[   32.636470]  mempool_kmalloc_uaf+0xc4/0x120
[   32.636507]  kunit_try_run_case+0x170/0x3f0
[   32.636544]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   32.636587]  kthread+0x328/0x630
[   32.636620]  ret_from_fork+0x10/0x20
[   32.636655] 
[   32.636675] Freed by task 259:
[   32.636700]  kasan_save_stack+0x3c/0x68
[   32.636738]  kasan_save_track+0x20/0x40
[   32.637278]  kasan_save_free_info+0x4c/0x78
[   32.637548]  __kasan_mempool_poison_object+0xc0/0x150
[   32.637753]  mempool_free+0x28c/0x328
[   32.637806]  mempool_uaf_helper+0x104/0x340
[   32.638030]  mempool_kmalloc_uaf+0xc4/0x120
[   32.638083]  kunit_try_run_case+0x170/0x3f0
[   32.638122]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   32.638163]  kthread+0x328/0x630
[   32.638197]  ret_from_fork+0x10/0x20
[   32.638233] 
[   32.638255] The buggy address belongs to the object at fff00000c9147a00
[   32.638255]  which belongs to the cache kmalloc-128 of size 128
[   32.638317] The buggy address is located 0 bytes inside of
[   32.638317]  freed 128-byte region [fff00000c9147a00, fff00000c9147a80)
[   32.638377] 
[   32.638400] The buggy address belongs to the physical page:
[   32.638447] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x109147
[   32.638502] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   32.638553] page_type: f5(slab)
[   32.638593] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000100 dead000000000122
[   32.638641] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
[   32.638681] page dumped because: kasan: bad access detected
[   32.638722] 
[   32.638739] Memory state around the buggy address:
[   32.638773]  fff00000c9147900: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   32.639178]  fff00000c9147980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   32.639417] >fff00000c9147a00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   32.639469]                    ^
[   32.639534]  fff00000c9147a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   32.639576]  fff00000c9147b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   32.639680] ==================================================================
Metadata Full log Test run details 

[   25.565536] ==================================================================
[   25.566132] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x392/0x400
[   25.566417] Read of size 1 at addr ffff888105922100 by task kunit_try_catch/275
[   25.566785] 
[   25.566891] CPU: 0 UID: 0 PID: 275 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc6-next-20250715 #1 PREEMPT(voluntary) 
[   25.566964] Tainted: [B]=BAD_PAGE, [N]=TEST
[   25.566980] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   25.567007] Call Trace:
[   25.567022]  <TASK>
[   25.567042]  dump_stack_lvl+0x73/0xb0
[   25.567081]  print_report+0xd1/0x610
[   25.567110]  ? __virt_addr_valid+0x1db/0x2d0
[   25.567143]  ? mempool_uaf_helper+0x392/0x400
[   25.567171]  ? kasan_complete_mode_report_info+0x64/0x200
[   25.567202]  ? mempool_uaf_helper+0x392/0x400
[   25.567230]  kasan_report+0x141/0x180
[   25.567258]  ? mempool_uaf_helper+0x392/0x400
[   25.567292]  __asan_report_load1_noabort+0x18/0x20
[   25.567321]  mempool_uaf_helper+0x392/0x400
[   25.567350]  ? __pfx_mempool_uaf_helper+0x10/0x10
[   25.567383]  ? finish_task_switch.isra.0+0x153/0x700
[   25.567416]  mempool_kmalloc_uaf+0xef/0x140
[   25.567444]  ? __pfx_mempool_kmalloc_uaf+0x10/0x10
[   25.567475]  ? __pfx_mempool_kmalloc+0x10/0x10
[   25.567505]  ? __pfx_mempool_kfree+0x10/0x10
[   25.567551]  ? __pfx_read_tsc+0x10/0x10
[   25.567578]  ? ktime_get_ts64+0x86/0x230
[   25.567610]  kunit_try_run_case+0x1a5/0x480
[   25.567656]  ? __pfx_kunit_try_run_case+0x10/0x10
[   25.567684]  ? _raw_spin_lock_irqsave+0xa1/0x100
[   25.567712]  ? _raw_spin_unlock_irqrestore+0x5f/0x90
[   25.567742]  ? __kthread_parkme+0x82/0x180
[   25.567770]  ? preempt_count_sub+0x50/0x80
[   25.567800]  ? __pfx_kunit_try_run_case+0x10/0x10
[   25.567830]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   25.567863]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   25.567895]  kthread+0x337/0x6f0
[   25.567920]  ? trace_preempt_on+0x20/0xc0
[   25.567951]  ? __pfx_kthread+0x10/0x10
[   25.567976]  ? _raw_spin_unlock_irq+0x47/0x80
[   25.568007]  ? calculate_sigpending+0x7b/0xa0
[   25.568036]  ? __pfx_kthread+0x10/0x10
[   25.568065]  ret_from_fork+0x116/0x1d0
[   25.568089]  ? __pfx_kthread+0x10/0x10
[   25.568115]  ret_from_fork_asm+0x1a/0x30
[   25.568158]  </TASK>
[   25.568171] 
[   25.575518] Allocated by task 275:
[   25.575699]  kasan_save_stack+0x45/0x70
[   25.575872]  kasan_save_track+0x18/0x40
[   25.576068]  kasan_save_alloc_info+0x3b/0x50
[   25.576258]  __kasan_mempool_unpoison_object+0x1a9/0x200
[   25.576512]  remove_element+0x11e/0x190
[   25.576782]  mempool_alloc_preallocated+0x4d/0x90
[   25.576999]  mempool_uaf_helper+0x96/0x400
[   25.577187]  mempool_kmalloc_uaf+0xef/0x140
[   25.577365]  kunit_try_run_case+0x1a5/0x480
[   25.577573]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   25.577848]  kthread+0x337/0x6f0
[   25.578020]  ret_from_fork+0x116/0x1d0
[   25.578208]  ret_from_fork_asm+0x1a/0x30
[   25.578421] 
[   25.578531] Freed by task 275:
[   25.578649]  kasan_save_stack+0x45/0x70
[   25.578856]  kasan_save_track+0x18/0x40
[   25.578998]  kasan_save_free_info+0x3f/0x60
[   25.579146]  __kasan_mempool_poison_object+0x131/0x1d0
[   25.579382]  mempool_free+0x2ec/0x380
[   25.579577]  mempool_uaf_helper+0x11a/0x400
[   25.579829]  mempool_kmalloc_uaf+0xef/0x140
[   25.580011]  kunit_try_run_case+0x1a5/0x480
[   25.580158]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   25.580403]  kthread+0x337/0x6f0
[   25.580585]  ret_from_fork+0x116/0x1d0
[   25.580778]  ret_from_fork_asm+0x1a/0x30
[   25.580953] 
[   25.581031] The buggy address belongs to the object at ffff888105922100
[   25.581031]  which belongs to the cache kmalloc-128 of size 128
[   25.581391] The buggy address is located 0 bytes inside of
[   25.581391]  freed 128-byte region [ffff888105922100, ffff888105922180)
[   25.581749] 
[   25.581821] The buggy address belongs to the physical page:
[   25.582038] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x105922
[   25.582398] flags: 0x200000000000000(node=0|zone=2)
[   25.582644] page_type: f5(slab)
[   25.582812] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000
[   25.583153] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
[   25.583482] page dumped because: kasan: bad access detected
[   25.583706] 
[   25.583773] Memory state around the buggy address:
[   25.583929]  ffff888105922000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   25.584143]  ffff888105922080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   25.584358] >ffff888105922100: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   25.584645]                    ^
[   25.584824]  ffff888105922180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   25.585146]  ffff888105922200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   25.585465] ==================================================================
[   25.620468] ==================================================================
[   25.621078] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x392/0x400
[   25.621913] Read of size 1 at addr ffff888105926240 by task kunit_try_catch/279
[   25.622574] 
[   25.622819] CPU: 0 UID: 0 PID: 279 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc6-next-20250715 #1 PREEMPT(voluntary) 
[   25.622887] Tainted: [B]=BAD_PAGE, [N]=TEST
[   25.622902] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   25.622929] Call Trace:
[   25.622945]  <TASK>
[   25.622966]  dump_stack_lvl+0x73/0xb0
[   25.623005]  print_report+0xd1/0x610
[   25.623035]  ? __virt_addr_valid+0x1db/0x2d0
[   25.623066]  ? mempool_uaf_helper+0x392/0x400
[   25.623094]  ? kasan_complete_mode_report_info+0x64/0x200
[   25.623126]  ? mempool_uaf_helper+0x392/0x400
[   25.623154]  kasan_report+0x141/0x180
[   25.623181]  ? mempool_uaf_helper+0x392/0x400
[   25.623216]  __asan_report_load1_noabort+0x18/0x20
[   25.623245]  mempool_uaf_helper+0x392/0x400
[   25.623273]  ? __pfx_mempool_uaf_helper+0x10/0x10
[   25.623306]  ? finish_task_switch.isra.0+0x153/0x700
[   25.623340]  mempool_slab_uaf+0xea/0x140
[   25.623368]  ? __pfx_mempool_slab_uaf+0x10/0x10
[   25.623400]  ? __pfx_mempool_alloc_slab+0x10/0x10
[   25.623431]  ? __pfx_mempool_free_slab+0x10/0x10
[   25.623462]  ? __pfx_read_tsc+0x10/0x10
[   25.623490]  ? ktime_get_ts64+0x86/0x230
[   25.623534]  kunit_try_run_case+0x1a5/0x480
[   25.623565]  ? __pfx_kunit_try_run_case+0x10/0x10
[   25.623592]  ? _raw_spin_lock_irqsave+0xa1/0x100
[   25.623767]  ? _raw_spin_unlock_irqrestore+0x5f/0x90
[   25.623798]  ? __kthread_parkme+0x82/0x180
[   25.623826]  ? preempt_count_sub+0x50/0x80
[   25.623856]  ? __pfx_kunit_try_run_case+0x10/0x10
[   25.623885]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   25.623917]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   25.623950]  kthread+0x337/0x6f0
[   25.623975]  ? trace_preempt_on+0x20/0xc0
[   25.624005]  ? __pfx_kthread+0x10/0x10
[   25.624031]  ? _raw_spin_unlock_irq+0x47/0x80
[   25.624062]  ? calculate_sigpending+0x7b/0xa0
[   25.624092]  ? __pfx_kthread+0x10/0x10
[   25.624119]  ret_from_fork+0x116/0x1d0
[   25.624144]  ? __pfx_kthread+0x10/0x10
[   25.624170]  ret_from_fork_asm+0x1a/0x30
[   25.624213]  </TASK>
[   25.624228] 
[   25.634665] Allocated by task 279:
[   25.635761]  kasan_save_stack+0x45/0x70
[   25.635938]  kasan_save_track+0x18/0x40
[   25.637175]  kasan_save_alloc_info+0x3b/0x50
[   25.638162]  __kasan_mempool_unpoison_object+0x1bb/0x200
[   25.638694]  remove_element+0x11e/0x190
[   25.639084]  mempool_alloc_preallocated+0x4d/0x90
[   25.639255]  mempool_uaf_helper+0x96/0x400
[   25.639403]  mempool_slab_uaf+0xea/0x140
[   25.639558]  kunit_try_run_case+0x1a5/0x480
[   25.640371]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   25.641993]  kthread+0x337/0x6f0
[   25.642310]  ret_from_fork+0x116/0x1d0
[   25.642493]  ret_from_fork_asm+0x1a/0x30
[   25.643090] 
[   25.643275] Freed by task 279:
[   25.643561]  kasan_save_stack+0x45/0x70
[   25.643985]  kasan_save_track+0x18/0x40
[   25.644561]  kasan_save_free_info+0x3f/0x60
[   25.645021]  __kasan_mempool_poison_object+0x131/0x1d0
[   25.645481]  mempool_free+0x2ec/0x380
[   25.645848]  mempool_uaf_helper+0x11a/0x400
[   25.646197]  mempool_slab_uaf+0xea/0x140
[   25.646341]  kunit_try_run_case+0x1a5/0x480
[   25.646497]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   25.647025]  kthread+0x337/0x6f0
[   25.647390]  ret_from_fork+0x116/0x1d0
[   25.647789]  ret_from_fork_asm+0x1a/0x30
[   25.648165] 
[   25.648319] The buggy address belongs to the object at ffff888105926240
[   25.648319]  which belongs to the cache test_cache of size 123
[   25.649107] The buggy address is located 0 bytes inside of
[   25.649107]  freed 123-byte region [ffff888105926240, ffff8881059262bb)
[   25.649468] 
[   25.649567] The buggy address belongs to the physical page:
[   25.649890] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x105926
[   25.650652] flags: 0x200000000000000(node=0|zone=2)
[   25.651129] page_type: f5(slab)
[   25.651270] raw: 0200000000000000 ffff888105920140 dead000000000122 0000000000000000
[   25.651503] raw: 0000000000000000 0000000080150015 00000000f5000000 0000000000000000
[   25.652137] page dumped because: kasan: bad access detected
[   25.652639] 
[   25.652849] Memory state around the buggy address:
[   25.653359]  ffff888105926100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   25.653998]  ffff888105926180: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   25.654227] >ffff888105926200: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[   25.654442]                                            ^
[   25.654825]  ffff888105926280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   25.655101]  ffff888105926300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   25.655361] ==================================================================
Metadata Full log Test run details